devel/carwash: update to 0.3.3
[0.3.3] - 2025-12-09
Performance Improvements
Eliminated Double-Checking on Update Wizard
Opening the update wizard with 'u' now shows cached results instantly
Previously, all dependencies were re-checked one by one even when cache was fresh
Now skips the entire check when all dependencies are within cache TTL
Individual dependency updates only send UI notifications for deps that actually needed checking
New Features
Pre-release Version Detection
Added semver parsing to distinguish stable versions from beta/rc/alpha releases
has_stable_update() method ignores pre-release versions when checking for updates
Prevents suggesting downgrades from stable to pre-release versions
[42 lines not shown]
devel/bacon: update to 3.20.3
v3.20.3
- fix a compilation problem of the "sound" feature - Fix #412 - Thanks @orhun
v3.20.2
- fix dependencies not compatible with rust MSRV - Fix #407 - Thanks @alerque
- display message on sound when not enabled - Fix #410
Move the decrement of lfs_iocount after the pool_put in the cluster callback;
and explicitly check lfs_iocount before destroying the pool at unmount.
Prevents an occasional "pool busy" panic at unmount time.
Do not check and convert all root-level directory entries with inode number 1
into regular files. The Ifile has not been exposed in the file system for
more than 15 years, and this conversion makes it impossible to have whiteouts
at the root level.
Import openresolv-3.17.1 with the following changes:
resolvconf: Single quote parsed values from resolv.conf
When parsing resolv.conf entries we build up shell variables.
Because this is done via a pipe, we need to echo the variables
to stdout and eval the result to get them into the main resolvconf.
We have no idea what the values are, so we build up the output
ensuring the parsed value is single quoted so eval will always
interpret it as a string and nothing more.
This avoids an attack like so:
`echo 'search $(touch /tmp/foo)' | resolvconf -a bar`
nono: update to 1.6.4.
1.6.4 (2025/12/08)
m68k(Fix): "Fix SRP/URP register masks in 68040. This makes NetBSD newpmap kernel bootable."
m68k(Fix): "Fix an issue where the lower 4 bits of SRP/CRP register in 68030 were cleared."
m68k(Fix): "Fix memory accesses in PACK/UNPK instructions to a single word access."
m68k(Update): "Implement several corner cases in 68030 PTEST instruction."
m68k(Update): "Rewrite whole 68030 MMU and improve performance slightly."
m68k(Update): "Improve 68030 ATC performance slightly."
vm(Update): "Implement ESC D and ESC M in serial console emulation."
host(Fix): "Fix an abnormal termination in usermode network."
host(Fix): "Fix an issue that the application could not be terminated in usermode network."
GUI(Update): "Improve the page table monitor."
GUI(Fix): "Remove incorrect TT hit rate in 68030 ATC monitor since ver 1.6.3."
debugger(Fix): "Fix an issue where different exceptions occurring consecutively at the same address were not recorded in Exception history."
debugger(New): "Implement "pe" command."
python314 py314-html-docs: updated to 3.14.2
Python 3.14.2
Security
gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing.
gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
Library
gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions.
gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ‘in-place’ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
gh-142214: Fix two regressions in dataclasses in Python 3.14.1 related to annotations.
An exception is no longer raised if slots=True is used and the __init__ method does not have an __annotate__ attribute (likely because init=False was used).
An exception is no longer raised if annotations are requested on the __init__ method and one of the fields is not present in the class annotations. This can occur in certain dynamic scenarios.
[6 lines not shown]
python313 py313-html-docs: updated to 3.13.11
Python 3.13.11
Security
gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing.
gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
Library
gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions.
gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ‘in-place’ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
Core and Builtins
gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key.
py-django-allauth: updated to 65.13.1
65.13.1
Note worthy changes
- Django 6.0 is now officially supported.
Fixes
- Internal imports related to headless token strategies were causing (harmless)
deprecation warnings, fixed.
- Pending social signups stored in the session by allauth versions prior to
65.5.0 are not resumable by newer versions. This could cause 500s while
upgrading, fixed.
- Headless: the reauthentication-required response in the OpenAPI specification
was wrongly nested and did not match the actual implementation, fixed.